many fixes from cab testing

2005-05-25 20:58:21 +00:00 · 2005-05-25 20:58:21 +00:00 · efd8ede34d
parent c9a26b3e95
commit efd8ede34d
18 changed files with 343 additions and 164 deletions
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@ -266,6 +266,8 @@ terminal_get_general_physical_terminal_attributes(rpm_script_t)
 terminal_list_pseudoterminals(rpm_script_t)

 authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
+# ideally we would not need this
+authlogin_manage_all_files_except_shadow(rpm_script_t)

 corecommands_execute_general_programs(rpm_script_t)
 corecommands_execute_system_programs(rpm_script_t)
@ -307,8 +309,6 @@ ifdef(`TODO',`
 allow rpm_script_t sysfs_t:dir r_dir_perms;

 # ideally we would not need this
-allow rpm_script_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename };
 allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };

 allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@ -300,9 +300,11 @@ define(`bootloader_modify_kernel_modules',`
 requires_block_template(`$0'_depend)
 allow $1 modules_object_t:file { getattr create read write setattr unlink };
 allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+typeattribute $1 can_modify_kernel_modules;
 ')

 define(`bootloader_modify_kernel_modules_depend',`
+attribute can_modify_kernel_modules;
 type modules_object_t;
 class file { getattr create read write setattr unlink };
 class dir { getattr search read write add_name remove_name };
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -425,77 +425,20 @@ class dir { getattr read search };
 class chr_file { getattr write ioctl };
 ')

-########################################
-#
-# devices_read_dev_null(domain)
-#
-define(`devices_read_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr read };
-')
-
-define(`devices_read_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr read };
-')
-
-########################################
-#
-# devices_write_dev_null(domain)
-#
-define(`devices_write_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr append write };
-')
-
-define(`devices_write_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr append write };
-')
-
 ########################################
 #
 # devices_use_dev_null(domain)
 #
 define(`devices_use_dev_null',`
-devices_read_dev_null($1)
-devices_write_dev_null($1)
-')
-
-########################################
-#
-# devices_read_dev_zero(domain)
-#
-define(`devices_read_dev_zero',`
 requires_block_template(`$0'_depend)
 allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr read };
+allow $1 null_device_t:chr_file { getattr read write append ioctl };
 ')

-define(`devices_read_dev_zero_depend',`
-type device_t, zero_device_t;
+define(`devices_use_dev_null_depend',`
+type device_t, null_device_t;
 class device_t:dir { getattr read search };
-class chr_file { getattr read };
-')
-
-########################################
-#
-# devices_write_dev_zero(domain)
-#
-define(`devices_write_dev_zero',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr append write };
-')
-
-define(`devices_write_dev_zero_depend',`
-type device_t, zero_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr append write };
+class chr_file { getattr read write append ioctl };
 ')

 ########################################
@ -503,8 +446,15 @@ class chr_file { getattr append write };
 # devices_use_dev_zero(domain)
 #
 define(`devices_use_dev_zero',`
-devices_read_dev_zero($1)
-devices_write_dev_zero($1)
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read search };
+allow $1 zero_device_t:chr_file { getattr read write append ioctl };
+')
+
+define(`devices_use_dev_zero_depend',`
+type device_t, zero_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr read write append ioctl };
 ')

 ########################################
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@ -972,6 +972,29 @@ class dir { getattr search read };
 class chr_file { getattr read write ioctl };
 ')

+########################################
+## <interface name="filesystem_relabel_tmpfs_character_devices">
+##	<description>
+##		Relabel character nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_relabel_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_relabel_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class chr_file { getattr relabelfrom relabelto };
+')
+
 ########################################
 ## <interface name="filesystem_use_tmpfs_block_devices">
 ##	<description>
@ -995,6 +1018,29 @@ class dir { getattr search read };
 class blk_file { getattr read write ioctl };
 ')

+########################################
+## <interface name="filesystem_relabel_tmpfs_block_devices">
+##	<description>
+##		Relabel block nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_relabel_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_use_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class blk_file { getattr relabelfrom relabelto };
+')
+
 ########################################
 ## <interface name="filesystem_manage_tmpfs_character_devices">
 ##	<description>
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -94,15 +94,19 @@ filesystem_get_all_filesystems_attributes(crond_t)

 terminal_ignore_use_console(crond_t)

-init_use_file_descriptors(crond_t)
-init_script_use_pseudoterminal(crond_t)
+# need auth_chkpwd to check for locked accounts.
+authlogin_check_password_transition(crond_t)
+
+corecommands_execute_shell(crond_t)
+corecommands_read_system_programs_directory(crond_t)

 domain_use_widely_inheritable_file_descriptors(crond_t)

 files_read_general_system_config(crond_t)
+files_read_system_spools(crond_t)

-corecommands_execute_shell(crond_t)
-corecommands_read_system_programs_directory(crond_t)
+init_use_file_descriptors(crond_t)
+init_script_use_pseudoterminal(crond_t)

 libraries_use_dynamic_loader(crond_t)
 libraries_use_shared_libraries(crond_t)
@ -115,8 +119,7 @@ selinux_newrole_sigchld(crond_t)

 miscfiles_read_localization(crond_t)

-# need auth_chkpwd to check for locked accounts.
-authlogin_check_password_transition(crond_t)
+userdomain_use_all_unprivileged_users_file_descriptors(crond_t)

 tunable_policy(`fcron_crond', `
 allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
@ -136,7 +139,6 @@ ifdef(`TODO',`
 # NB The constraints file has some entries for crond_t, this makes it
 # different from all other domains...

-allow crond_t unpriv_userdomain:fd use;
 allow crond_t autofs_t:dir { search getattr };
 dontaudit crond_t sysadm_home_dir_t:dir search;

@ -153,18 +155,15 @@ allow crond_t autofs_t:dir { search getattr };

 # Read from /var/spool/cron.
 allow crond_t var_lib_t:dir search;
-allow crond_t var_spool_t:dir r_dir_perms;
-allow crond_t var_spool_t:file { getattr read };
 allow crond_t mail_spool_t:dir search;
+# for if /var/mail is a symlink
+allow crond_t mail_spool_t:lnk_file read;

 allow crond_t default_t:dir search;

 # crond tries to search /root.  Not sure why.
 allow crond_t sysadm_home_dir_t:dir r_dir_perms;

-# for if /var/mail is a symlink
-allow crond_t mail_spool_t:lnk_file read;
-
 # to search /home
 allow crond_t user_home_dir_type:dir r_dir_perms;

@ -269,6 +268,9 @@ files_get_all_file_attributes(system_crond_t)
 files_read_general_application_resources(system_crond_t)
 # for nscd:
 files_ignore_search_runtime_data_directory(system_crond_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_system_spools(system_crond_t)

 corecommands_execute_general_programs(system_crond_t)
 corecommands_execute_system_programs(system_crond_t)
@ -324,14 +326,9 @@ allow system_crond_t var_t:file { getattr read ioctl };
 allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;

-# Access other spool directories like
-# /var/spool/anacron and /var/spool/slrnpull.
-allow system_crond_t var_spool_t:file create_file_perms;
-allow system_crond_t var_spool_t:dir rw_dir_perms;
 # for if /var/mail is a symlink
 allow system_crond_t mail_spool_t:lnk_file read;

-
 #
 #  These rules are here to allow system cron jobs to su
 #
@ -360,7 +357,6 @@ mta_send_mail_transition(system_crond_t)
 # system_mail_t should only be reading from the cron fifo not needing to write
 dontaudit system_mail_t crond_t:fifo_file write;
 allow mta_user_agent system_crond_t:fd use;
-allow mta_user_agent system_crond_t:fd use;
 r_dir_file(system_mail_t, crond_tmp_t)
 ')

--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -440,6 +440,58 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 class lnk_file { create read getattr setattr link unlink rename };
 ')

+########################################
+## <interface name="authlogin_relabel_all_files_except_shadow">
+##	<description>
+##		Relabel all files on the filesystem, except
+##		the shadow passwords and listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+
+define(`authlogin_relabel_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_relabel_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_relabel_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
+########################################
+## <interface name="authlogin_manage_all_files_except_shadow">
+##	<description>
+##		Manage all files on the filesystem, except
+##		the shadow passwords and listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+
+define(`authlogin_manage_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_manage_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_manage_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
 ########################################
 ## <interface name="authlogin_utempter_transition">
 ##	<description>
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -62,7 +62,7 @@ define(`domain_make_entrypoint_file',`
 requires_block_template(`$0'_depend)
 allow $1 $2:file entrypoint;
 files_make_file($2)
-typeattribute $1 entry_type;
+typeattribute $2 entry_type;
 ')

 define(`domain_make_entrypoint_file_depend',`
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -99,7 +99,7 @@ attribute tmpfsfile;
 ########################################
 #
 # files_get_all_file_attributes(domain)
-#
+
 define(`files_get_all_file_attributes',`
 requires_block_template(`$0'_depend)
 allow $1 file_type:dir { search getattr };
@ -119,23 +119,37 @@ class sock_file getattr;
 ')

 ########################################
+## <interface name="files_relabel_all_files">
+##	<description>
+##		Relabel all files on the filesystem, except
+##		the listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
-# files_manage_all_files_labels(type)
-#
-define(`files_manage_all_files_labels',`
+define(`files_relabel_all_files',`
 requires_block_template(`$0'_depend)
-allow $1 file_type:dir { getattr relabelfrom relabelto };
-allow $1 file_type:file { getattr relabelfrom relabelto };
-allow $1 file_type:lnk_file { getattr relabelfrom relabelto };
-allow $1 file_type:fifo_file { getattr relabelfrom relabelto };
-allow $1 file_type:sock_file { getattr relabelfrom relabelto };
-allow $1 file_type:blk_file { getattr relabelfrom };
-allow $1 file_type:chr_file { getattr relabelfrom };
+allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto };
+allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
+allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+# satisfy the assertions:
+selinux_relabelto_binary_policy($1)
 ')

-define(`files_manage_all_files_labels_depend',`
+define(`files_relabel_all_files_depend',`
 attribute file_type;
-class dir { relabelfrom relabelto };
+class dir { getattr search read relabelfrom relabelto };
 class file { relabelfrom relabelto };
 class lnk_file { relabelfrom relabelto };
 class fifo_file { relabelfrom relabelto };
@ -144,6 +158,43 @@ class blk_file relabelfrom;
 class chr_file relabelfrom;
 ')

+########################################
+## <interface name="files_manage_all_files">
+##	<description>
+##		Manage all files on the filesystem, except
+##		the listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`files_manage_all_files',`
+requires_block_template(`$0'_depend)
+allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
+allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+# satisfy the assertions:
+selinux_write_binary_policy($1)
+bootloader_modify_kernel_modules($1)
+')
+
+define(`files_manage_all_files_depend',`
+attribute file_type;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+class lnk_file { create read getattr setattr link unlink rename };
+class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
 ########################################
 #
 # files_search_all_directories(domain)
@ -646,6 +697,20 @@ class fifo_file { getattr unlink };
 class sock_file { getattr unlink };
 ')

+########################################
+#
+# files_search_general_application_resources_dir(domain)
+#
+define(`files_search_general_application_resources_dir',`
+requires_block_template(`$0'_depend)
+allow $1 usr_t:dir search;
+')
+
+define(`files_search_general_application_resources_dir_depend',`
+type usr_t;
+class dir search;
+')
+
 ########################################
 #
 # files_read_general_application_resources(domain)
@ -998,4 +1063,38 @@ type var_t, var_spool_t;
 class dir { getattr search read };
 ')

+########################################
+#
+# files_read_system_spools(domain)
+#
+define(`files_read_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read };
+allow $1 var_spool_t:file { getattr read };
+')
+
+define(`files_read_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# files_manage_system_spools(domain)
+#
+define(`files_manage_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
+allow $1 var_spool_t:file { getattr create read write append unlink setattr };
+')
+
+define(`files_manage_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create read write append unlink setattr };
+')
+
 ## </module>
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@ -44,6 +44,7 @@ filesystem_get_persistent_filesystem_attributes(getty_t)
 terminal_use_all_terminals(getty_t)
 terminal_set_console_attributes(getty_t)

+init_script_modify_runtime_data(getty_t)
 init_script_use_pseudoterminal(getty_t)

 files_modify_system_runtime_data(getty_t)
@ -55,6 +56,9 @@ files_read_general_system_config(getty_t)

 authlogin_modify_login_records(getty_t)

+libraries_use_dynamic_loader(getty_t)
+libraries_use_shared_libraries(getty_t)
+
 locallogin_transition(getty_t)

 logging_send_system_log_message(getty_t)
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@ -112,7 +112,7 @@ optional_policy(`netutils.te', `
 netutils_transition(hotplug_t)
 filesystem_use_tmpfs_character_devices(hotplug_t)
 ') dnl endif netutils optional
-files_get_system_lock_file_attribues(hotplug_t)
+files_get_system_lock_file_attributes(hotplug_t)
 ')dnl end distro_redhat tunable

 tunable_policy(`targeted_policy', `
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -21,6 +21,12 @@ type init_exec_t;
 kernel_make_userland_entrypoint(init_t,init_exec_t)
 domain_make_entrypoint_file(init_t,init_exec_t)

+#
+# init_var_run_t is the type for /var/run/shutdown.pid.
+#
+type init_var_run_t;
+files_make_daemon_runtime_file(init_var_run_t)
+
 #
 # initctl_t is the type of the named pipe created 
 # by init during initialization.  This pipe is used
@ -28,14 +34,6 @@ domain_make_entrypoint_file(init_t,init_exec_t)
 #
 type initctl_t;
 files_make_file(initctl_t)
-filesystem_tmpfs_associate(initctl_t)
-devices_create_dev_entry(init_t,initctl_t,fifo_file)
-
-#
-# init_var_run_t is the type for /var/run/shutdown.pid.
-#
-type init_var_run_t;
-files_make_daemon_runtime_file(init_var_run_t)

 type initrc_t;
 domain_make_domain(initrc_t)
@ -70,6 +68,10 @@ allow init_t init_exec_t:file { getattr read execute execute_no_trans };
 allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
 files_create_daemon_runtime_data(init_t,init_var_run_t)

+allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
+filesystem_tmpfs_associate(initctl_t)
+devices_create_dev_entry(init_t,initctl_t,fifo_file)
+
 # Run init scripts.  this is ok since initrc
 # is also in this module
 allow init_t initrc_t:process transition;
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -132,6 +132,7 @@ class file { getattr read write };
 #
 define(`libraries_use_shared_libraries',`
 requires_block_template(`$0'_depend)
+files_search_general_application_resources_dir($1)
 allow $1 lib_t:dir { getattr search read };
 allow $1 lib_t:lnk_file { getattr read };
 allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read };
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@ -570,6 +570,29 @@ class dir { getattr search read write add_name remove_name };
 class file { getattr create write unlink };
 ')

+########################################
+## <interface name="selinux_relabelto_binary_policy">
+##	<description>
+##		Allow the caller to relabel a file to the binary policy type.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
 ########################################
 #
 # selinux_manage_binary_policy(domain)
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;

 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
 allow checkpolicy_t selinux_config_t:dir search;

 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir { getattr search read };
 allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };

-allow newrole_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };

 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)

 domain_use_widely_inheritable_file_descriptors(load_policy_t)

+files_search_general_system_config_directory(load_policy_t)
+
 libraries_use_dynamic_loader(load_policy_t)
 libraries_use_shared_libraries(load_policy_t)

@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)

 userdomain_use_all_users_file_descriptors(load_policy_t)

-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
 ########################################
 #
 # Newrole local policy
@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
 # relabeling rules
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
 files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
 tunable_policy(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
 ')

 ifdef(`TODO',`
@ -333,11 +332,6 @@ ifdef(`TODO',`
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };

-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
 allow restorecon_t fs_type:dir r_dir_perms;

 allow restorecon_t device_t:file { read write };
@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(setfiles_t)

--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@ -570,6 +570,29 @@ class dir { getattr search read write add_name remove_name };
 class file { getattr create write unlink };
 ')

+########################################
+## <interface name="selinux_relabelto_binary_policy">
+##	<description>
+##		Allow the caller to relabel a file to the binary policy type.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
 ########################################
 #
 # selinux_manage_binary_policy(domain)
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;

 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
 allow checkpolicy_t selinux_config_t:dir search;

 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir { getattr search read };
 allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };

-allow newrole_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };

 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)

 domain_use_widely_inheritable_file_descriptors(load_policy_t)

+files_search_general_system_config_directory(load_policy_t)
+
 libraries_use_dynamic_loader(load_policy_t)
 libraries_use_shared_libraries(load_policy_t)

@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)

 userdomain_use_all_users_file_descriptors(load_policy_t)

-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
 ########################################
 #
 # Newrole local policy
@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
 # relabeling rules
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
 files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
 tunable_policy(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
 ')

 ifdef(`TODO',`
@ -333,11 +332,6 @@ ifdef(`TODO',`
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };

-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
 allow restorecon_t fs_type:dir r_dir_perms;

 allow restorecon_t device_t:file { read write };
@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(setfiles_t)

--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@ -57,9 +57,9 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli
 allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })

-# Allow dhcpc_t to use packet sockets
+allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
 allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-
 allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };

 allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -10,6 +10,10 @@

 define(`base_user_domain',`

+attribute $1_file_type;
+
+type $1_t, userdomain;
+corecommands_make_shell_entrypoint($1_t)
 role $1_r types $1_t;
 allow system_r $1_r;

@ -370,9 +374,10 @@ define(`user_domain_template', `
 # Declarations
 #

-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)

-type $1_t, userdomain, unpriv_userdomain; #, web_client_domain, nscd_client_domain;
+typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
 domain_make_domain($1_t)
 domain_make_file_descriptors_widely_inheritable($1_t)

@ -398,9 +403,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
 # Local policy
 #

-# Inherit rules for ordinary users.
-base_user_domain($1)
-
 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
 terminal_create_private_pseudoterminal($1_t,$1_devpts_t)

@ -584,9 +586,10 @@ define(`admin_domain_template',`
 # Declarations
 #

-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)

-type $1_t, userdomain, privhome; #, admin, web_client_domain, nscd_client_domain;
+typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
 kernel_make_object_identity_change_constraint_exception($1_t)
 domain_make_domain($1_t)
 role system_r types $1_t;
@ -615,9 +618,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
 # $1_t local policy
 #

-# Inherit rules for ordinary users.
-base_user_domain($1)
-
 allow $1_t self:capability ~sys_module;
 allow $1_t self:process { setexec setfscreate };

@ -682,6 +682,11 @@ terminal_use_general_physical_terminal($1_t)
 terminal_use_all_private_pseudoterminals($1_t)
 terminal_use_all_private_physical_terminals($1_t)

+# Manage almost all files
+authlogin_manage_all_files_except_shadow($1_t)
+# Relabel almost all files
+authlogin_relabel_all_files_except_shadow($1_t)
+
 domain_set_all_domains_priorities($1_t)

 files_execute_system_source_code_scripts($1_t)
@ -710,18 +715,6 @@ ifdef(`TODO',`
 # Let admin stat the shadow file.
 allow $1_t shadow_t:file getattr;

-# Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
-allow $1_t sysadmfile:lnk_file create_lnk_perms;
-allow $1_t sysadmfile:dir create_dir_perms;
-
-# Relabel all files.
-# Actually this will not allow relabeling ALL files unless you change
-# sysadmfile to file_type (and change the assertion in assert.te that
-# only auth_write can relabel shadow_t)
-allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
-allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
-
 # for lsof
 allow $1_t mtrr_device_t:file getattr;